Download Raw Diff

Details

Reviewers

steakhal
NoQ
mikhail.ramalho
Szelethus

Commits

rGcd5783d3e82b: [analyzer][solver] Handle UnarySymExpr in SMTConv

Summary

Dependent patch adds UnarySymExpr, now I'd like to handle that for SMT
conversions like refutation.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.May 13 2022, 7:07 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptMay 13 2022, 7:07 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 8 others. · View Herald Transcript

martong requested review of this revision.May 13 2022, 7:07 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 13 2022, 7:07 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

martong added a parent revision: D125318: [analyzer] Add UnarySymExpr.May 13 2022, 7:08 AM

minor nits;
Thanks

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h
258	I would prefer the `fromUnOp` similarly to how `fromBinOp` is called.
453–455	If you discard the `FromTy`, you could have passed a nullptr there.

This revision is now accepted and ready to land.May 13 2022, 7:22 AM

Harbormaster completed remote builds in B164306: Diff 429230.May 13 2022, 8:26 AM

martong edited parent revisions, added: D125395: [analyzer][solver] Handle UnarySymExpr in RangeConstraintSolver; removed: D125318: [analyzer] Add UnarySymExpr.May 16 2022, 12:38 AM

martong marked 2 inline comments as done.May 16 2022, 12:50 AM

martong added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h
258	Yeah, very good point, I just realized that `fromUnOp` is already implemented!
453–455	Ok, Changed it.

Use existing fromUnOp
pass nullptr as FromTy

Harbormaster completed remote builds in B164594: Diff 429633.May 16 2022, 1:45 AM

Something is messed up with the diff. You refer to fromUnOp() but it's not defined anywhere.

In D125547#3515259, @steakhal wrote:

Something is messed up with the diff. You refer to fromUnOp() but it's not defined anywhere.

No. There is no mess up here, the diff is correct. fromUnOp had been implemented way before. I missed that when I created the initial patch. So, we just have to call that preexisting function in getSymExpr.

steakhal accepted this revision.May 16 2022, 3:42 AM

There are Z3 refutation related assertions on open-source projects once the patch stack is applied. Interestingly it happens in fromBinOp.

clang-14: ../../git/llvm-project/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h:96: static const llvm::SMTExpr* clang::ento::SMTConv::fromBinOp(llvm::SMTSolverRef&, const llvm::SMTExpr* const&, clang::BinaryOperator::Opcode, const llvm::SMTExpr* const&, bool): Assertion `*Solver->getSort(LHS) == *Solver->getSort(RHS) && "AST's must have the same sort!"' failed.

This is the minimal reproducer:

int b;
long c();
void d(int e, long *f) { *f = e; }
void k() {
  long a = c();
  int g = a, h = g - 2, i = -h;
  _Bool j;
  d(i, &b);
  j &= b == 0;
}

I'd like to delay the commit of the patch stack until we can fix that, since Z3 refutation is essential for most of our (internal) users.

Fix Assertion `*Solver->getSort(LHS) == *Solver->getSort(RHS) && "AST's must have the same sort!"' failed.

Harbormaster completed remote builds in B166259: Diff 431970.May 25 2022, 7:45 AM

I think it looks greatt
There are a couple questions you need to think about, but I don't insist about changing anything if the code works passed widescale testing.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h
463	Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead of types? What happens if one of these refers to typedef? Shouldn't we compare the canonical type pointers instead? Or this works out just fine in practice. I might over-worry this :D ALternatively, we could emit this cast only if the bitwidths are different. (which caused the sort difference, thus the crash)
clang/test/Analysis/unary-sym-expr-z3-refutation.c
29	So this is the implicit cast that we don't emit.

martong marked an inline comment as done.May 25 2022, 9:14 AM

martong added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h
463	Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead of types? No, I don't think so. The underlying `fromCast` would simply return the same `SMTExprRef` if the bitwidths are the same. What happens if one of these refers to typedef? The same as in case of the qualifier mismatch. Shouldn't we compare the canonical type pointers instead? Or this works out just fine in practice. I might over-worry this :D ALternatively, we could emit this cast only if the bitwidths are different. (which caused the sort difference, thus the crash) Good point. The code would be more direct and efficient like that, I am going to update.
clang/test/Analysis/unary-sym-expr-z3-refutation.c
29	Yes. Actually, without emitting SymbolCasts: `h` is evaluated as `$L<long> + 1`. However, the expression's type is `int`.

Compare the size of the types instead of the type pointers

steakhal accepted this revision.May 25 2022, 9:54 AM

Harbormaster completed remote builds in B166289: Diff 432019.May 25 2022, 10:17 AM

This revision was landed with ongoing or failed builds.May 26 2022, 5:17 AM

Closed by commit rGcd5783d3e82b: [analyzer][solver] Handle UnarySymExpr in SMTConv (authored by martong). · Explain Why

This revision was automatically updated to reflect the committed changes.

martong added a commit: rGcd5783d3e82b: [analyzer][solver] Handle UnarySymExpr in SMTConv.

tomasz-kaminski-sonarsource mentioned this in D140891: [analyzer] Fix assertion failure in SMT conversion for unary operator on floats..Jan 3 2023, 5:55 AM

steakhal mentioned this in rG3674421c4bc0: [analyzer] Fix assertion failure in SMT conversion for unary operator on floats.Jan 26 2023, 8:36 AM

Diff 432252

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h

Show First 20 Lines • Show All 249 Lines • ▼ Show 20 Lines	case BO_LOr:
return fromBinOp(Solver, LHS, Op, RHS, /isSigned=/false);		return fromBinOp(Solver, LHS, Op, RHS, /isSigned=/false);

default:;		default:;
}		}

llvm_unreachable("Unimplemented opcode");		llvm_unreachable("Unimplemented opcode");
}		}

/// Construct an SMTSolverRef from a QualType FromTy to a QualType ToTy,		/// Construct an SMTSolverRef from a QualType FromTy to a QualType ToTy,
		steakhalUnsubmitted Done Reply Inline Actions I would prefer the `fromUnOp` similarly to how `fromBinOp` is called. steakhal: I would prefer the `fromUnOp` similarly to how `fromBinOp` is called.
		martongAuthorUnsubmitted Done Reply Inline Actions Yeah, very good point, I just realized that `fromUnOp` is already implemented! martong: Yeah, very good point, I just realized that `fromUnOp` is already implemented!
/// and their bit widths.		/// and their bit widths.
static inline llvm::SMTExprRef fromCast(llvm::SMTSolverRef &Solver,		static inline llvm::SMTExprRef fromCast(llvm::SMTSolverRef &Solver,
const llvm::SMTExprRef &Exp,		const llvm::SMTExprRef &Exp,
QualType ToTy, uint64_t ToBitWidth,		QualType ToTy, uint64_t ToBitWidth,
QualType FromTy,		QualType FromTy,
uint64_t FromBitWidth) {		uint64_t FromBitWidth) {
if ((FromTy->isIntegralOrEnumerationType() &&		if ((FromTy->isIntegralOrEnumerationType() &&
ToTy->isIntegralOrEnumerationType()) \|\|		ToTy->isIntegralOrEnumerationType()) \|\|
▲ Show 20 Lines • Show All 174 Lines • ▼ Show 20 Lines	if (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym)) {
// Casting an expression with a comparison invalidates it. Note that this		// Casting an expression with a comparison invalidates it. Note that this
// must occur after the recursive call above.		// must occur after the recursive call above.
// e.g. (signed char) (x > 0)		// e.g. (signed char) (x > 0)
if (hasComparison)		if (hasComparison)
*hasComparison = false;		*hasComparison = false;
return getCastExpr(Solver, Ctx, Exp, FromTy, Sym->getType());		return getCastExpr(Solver, Ctx, Exp, FromTy, Sym->getType());
}		}

		if (const UnarySymExpr *USE = dyn_cast<UnarySymExpr>(Sym)) {
		if (RetTy)
		*RetTy = Sym->getType();

		QualType OperandTy;
		llvm::SMTExprRef OperandExp =
		getSymExpr(Solver, Ctx, USE->getOperand(), &OperandTy, hasComparison);
		steakhalUnsubmitted Done Reply Inline Actions If you discard the `FromTy`, you could have passed a nullptr there. steakhal: If you discard the `FromTy`, you could have passed a nullptr there.
		martongAuthorUnsubmitted Done Reply Inline Actions Ok, Changed it. martong: Ok, Changed it.
		llvm::SMTExprRef UnaryExp =
		fromUnOp(Solver, USE->getOpcode(), OperandExp);

		// Currently, without the `support-symbolic-integer-casts=true` option,
		// we do not emit `SymbolCast`s for implicit casts.
		// One such implicit cast is missing if the operand of the unary operator
		// has a different type than the unary itself.
		if (Ctx.getTypeSize(OperandTy) != Ctx.getTypeSize(Sym->getType())) {
		steakhalUnsubmitted Done Reply Inline Actions Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead of types? What happens if one of these refers to typedef? Shouldn't we compare the canonical type pointers instead? Or this works out just fine in practice. I might over-worry this :D ALternatively, we could emit this cast only if the bitwidths are different. (which caused the sort difference, thus the crash) steakhal: Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead of…
		martongAuthorUnsubmitted Done Reply Inline Actions Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead of types? No, I don't think so. The underlying `fromCast` would simply return the same `SMTExprRef` if the bitwidths are the same. What happens if one of these refers to typedef? The same as in case of the qualifier mismatch. Shouldn't we compare the canonical type pointers instead? Or this works out just fine in practice. I might over-worry this :D ALternatively, we could emit this cast only if the bitwidths are different. (which caused the sort difference, thus the crash) Good point. The code would be more direct and efficient like that, I am going to update. martong: > Could this fail spuriously due to a constness mismatch, since you compare QualTypes instead…
		if (hasComparison)
		*hasComparison = false;
		return getCastExpr(Solver, Ctx, UnaryExp, OperandTy, Sym->getType());
		}
		return UnaryExp;
		}

if (const BinarySymExpr *BSE = dyn_cast<BinarySymExpr>(Sym)) {		if (const BinarySymExpr *BSE = dyn_cast<BinarySymExpr>(Sym)) {
llvm::SMTExprRef Exp =		llvm::SMTExprRef Exp =
getSymBinExpr(Solver, Ctx, BSE, hasComparison, RetTy);		getSymBinExpr(Solver, Ctx, BSE, hasComparison, RetTy);
// Set the hasComparison parameter, in post-order traversal order.		// Set the hasComparison parameter, in post-order traversal order.
if (hasComparison)		if (hasComparison)
*hasComparison = BinaryOperator::isComparisonOp(BSE->getOpcode());		*hasComparison = BinaryOperator::isComparisonOp(BSE->getOpcode());
return Exp;		return Exp;
}		}
▲ Show 20 Lines • Show All 313 Lines • Show Last 20 Lines

clang/test/Analysis/unary-sym-expr-z3-refutation.c

This file was added.

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=true \
				// RUN: -verify

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=true \
				// RUN: -analyzer-config support-symbolic-integer-casts=true \
				// RUN: -verify

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=true \
				// RUN: -analyzer-config crosscheck-with-z3=true \
				// RUN: -verify

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=true \
				// RUN: -analyzer-config crosscheck-with-z3=true \
				// RUN: -analyzer-config support-symbolic-integer-casts=true \
				// RUN: -verify

				// REQUIRES: z3

				void k(long L) {
				int g = L;
				int h = g + 1;
				steakhalUnsubmitted Done Reply Inline Actions So this is the implicit cast that we don't emit. steakhal: So this is the implicit cast that we don't emit.
				martongAuthorUnsubmitted Done Reply Inline Actions Yes. Actually, without emitting SymbolCasts: `h` is evaluated as `$L<long> + 1`. However, the expression's type is `int`. martong: Yes. Actually, without emitting SymbolCasts: `h` is evaluated as `$L<long> + 1`. However, the…
				int j;
				j += -h < 0; // should not crash
				// expected-warning@-1{{garbage}}
				}

clang/test/Analysis/z3-crosscheck.c

	// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -DNO_CROSSCHECK -verify %s			// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -DNO_CROSSCHECK -verify %s
	// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config crosscheck-with-z3=true -verify %s			// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config crosscheck-with-z3=true -verify %s
	// REQUIRES: z3			// REQUIRES: z3

	int foo(int x)			int foo(int x)
	{			{
	int *z = 0;			int *z = 0;
	if ((x & 1) && ((x & 1) ^ 1))			if ((x & 1) && ((x & 1) ^ 1))
	#ifdef NO_CROSSCHECK			#ifdef NO_CROSSCHECK
	return *z; // expected-warning {{Dereference of null pointer (loaded from variable 'z')}}			return *z; // expected-warning {{Dereference of null pointer (loaded from variable 'z')}}
	#else			#else
	return *z; // no-warning			return *z; // no-warning
	#endif			#endif
	return 0;			return 0;
	}			}

				int unary(int x, long l)
				{
				int *z = 0;
				int y = l;
				if ((x & 1) && ((x & 1) ^ 1))
				if (-y)
				#ifdef NO_CROSSCHECK
				return *z; // expected-warning {{Dereference of null pointer (loaded from variable 'z')}}
				#else
				return *z; // no-warning
				#endif
				return 0;
				}

	void g(int d);			void g(int d);

	void f(int a, int b) {			void f(int a, int b) {
	int c = 5;			int c = 5;
	if ((a - b) == 0)			if ((a - b) == 0)
	c = 0;			c = 0;
	if (a != b)			if (a != b)
	g(3 / c); // no-warning			g(3 / c); // no-warning
	Show All 19 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][solver] Handle UnarySymExpr in SMTConv
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 432252

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h

clang/test/Analysis/unary-sym-expr-z3-refutation.c

clang/test/Analysis/z3-crosscheck.c

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][solver] Handle UnarySymExpr in SMTConvClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 432252

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h

clang/test/Analysis/unary-sym-expr-z3-refutation.c

clang/test/Analysis/z3-crosscheck.c

[analyzer][solver] Handle UnarySymExpr in SMTConv
ClosedPublic